Defend what you create

Other Resources

Close

Library
My library

+ Add to library

Contact us
24/7 Tech support | Rules regarding submitting

Send a message

Your tickets

Profile

Win32.HLLW.Autoruner.58704

Added to the Dr.Web virus database: 2011-09-12

Virus description added:

Technical Information

To ensure autorun and distribution
Modifies the following registry keys
  • [<HKLM>\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] 'Audio HD Driver' = '%TEMP%\win.exe'
Creates or modifies the following files
  • %APPDATA%\microsoft\windows\start menu\programs\startup\win.exe
Sets the following service settings
  • [<HKLM>\System\CurrentControlSet\Services\IKEEXT] 'Start' = '00000002'
Malicious functions
To complicate detection of its presence in the operating system,
forces the system hide from view:
  • hidden files
Modifies file system
Creates the following files
  • %TEMP%\serv.exe
  • %TEMP%\tgp.jpg
  • %APPDATA%\microsoft\crypto\rsa\s-1-5-21-1960123792-2022915161-3775307078-1001\f8b62a7e0898a45bb79b4b5eca503faf_36d1130a-ac2e-44f7-9dc1-e424fbcbe0ee
  • %APPDATA%\microsoft\crypto\rsa\s-1-5-21-1960123792-2022915161-3775307078-1001\72a9caa2c7b732d09aefcac74c853c14_36d1130a-ac2e-44f7-9dc1-e424fbcbe0ee
  • %APPDATA%\microsoft\crypto\rsa\s-1-5-21-1960123792-2022915161-3775307078-1001\ba7d4720fdd954e62596b8f0f91dea18_36d1130a-ac2e-44f7-9dc1-e424fbcbe0ee
  • %PROGRAMDATA%\microsoft\crypto\rsa\machinekeys\99fe3b9c8ce3aec5d527e94a38e7c083_36d1130a-ac2e-44f7-9dc1-e424fbcbe0ee
  • %TEMP%\win.exe
Sets the 'hidden' attribute to the following files
  • %TEMP%\win.exe
  • %APPDATA%\microsoft\windows\start menu\programs\startup\win.exe
Network activity
TCP
HTTP GET requests
  • http://ho###age.cz.cc/cinterval.txt
HTTP POST requests
  • http://ho###age.cz.cc/connect.php
  • '16##86.com':443
  • UDP
    • DNS ASK ho###age.cz.cc
    • DNS ASK 16##86.com
    Miscellaneous
    Creates and executes the following
    • '%TEMP%\serv.exe'
    Executes the following
    • '%WINDIR%\syswow64\netsh.exe' Advfirewall set Currentprofile State off

    The Russian developer of Dr.Web anti-viruses

    Doctor Web has been developing anti-virus software since 1992

    Dr.Web is trusted by users around the world in 200+ countries

    The company has delivered an anti-virus as a service since 2007

    24/7 tech support

    © Doctor Web
    2003 — 2020

    Doctor Web is the Russian developer of Dr.Web anti-virus software. Dr.Web anti-virus software has been developed since 1992.

    2-12А, 3rd street Yamskogo polya, Moscow, Russia, 125040